Three newly discovered malicious Python packages posted to the Python Package Index (PyPI) are now believed to be part of the VMConnect campaign and have also been tied to the North Korean Lazarus Group.
VMConnect is a popular tool IT teams use to connect a virtual machine to install or interact with the guest operating system in a virtual machine. Since VMware has more than 500,000 customers globally, the impact on enterprise operations is potentially significant.
Karlo Zanki, who headed up the VMConnect research for ReversingLabs, said the samples the team collected in the latest iteration of the VMConnect campaign share malicious functionality (via the builder.py file) with a previously discovered and documented malicious package: py_QRcode, which was not a publicly hosted file.
“When we looked deeper, we found the malicious code in py_QRcode was nearly identical to malicious code in QRLog, previously identified Java malware, with the two packages sharing both code and command and control (C2) infrastructure,” said Zanki.
Digging deeper, Zanki said QRLog, which was initially discovered by the threat researcher Mauro Eldritch, has been analyzed and attributed by Crowdstrike with a high degree of confidence to Labyrinth Chollima, a subgroup within the Lazarus Group.
"In short, as we look at the....malicious code, as well as supporting infrastructure for these latest VMConnect malicious packages, many of the clues point in the direction of previously discovered and documented malware and campaigns linked to Lazarus Group and the DPRK,” said Zanki.
Lazarus Group a persistent threat
ReversingLabs first identified VMConnect in an Aug. 3 blog post, in which it reported that the campaign consisted of two dozen malicious Python packages posted to the PyPI open-source repository. Sonatype also reported on the case in a blog post Aug. 3, in which they said VMConnect contains much of the same code as its legitimate VMware counterpart and has been downloaded 237 times, according to PePy.tech.
Ted Miracco, chief executive officer at Approov, said this campaign offers rather sobering insights into both the evolution and persistence of North Korean cyber operations targeting the software supply chain. Miracco said while North Korean actors have been active in cyber espionage and financial crime for years, VMConnect and related efforts mark a calculated shift towards more subtle, software-based attacks that display increasing technical sophistication, and patience. He said the gradual buildup of innocuous packages to gain reputation, combined with delayed triggers reflect a long-term strategy of infecting widely used open-source repositories.
“It underscores North Korea's asymmetrical approach of using a few very advanced cyber adversaries against much larger nation states,” said Miracco. “Unable to compete economically or militarily, this regime skillfully exploits interdependent global software ecosystems, where a handful of corrupted packages can deliver malware, and the associated chaos that goes with it, across millions of devices. The age of open source innocence is over. Private and public sectors must cooperate deeply on software assurance and provenance. Defeating North Korean supply chain exploits will require matching determination, cooperation, and collective urgency.”
Emily Phelps, director at Cyware, added that for more than a decade, Lazarus has been linked to several high profile espionage campaigns and financially motivated cybercrimes. Phelps said ReversingLabs noted they have collected enough evidence to link these latest activities to the group, and while Lazarus has used a variety of malware families, some suggest they are slightly easier to track than others.
“This does not make them any less dangerous,” said Phelps. “Advanced persistent threats are challenging because they often have the resources to persist in their attacks. Still, organizations should maintain strong security hygiene, patch and update systems, conduct regular awareness training, maintain multiple backups of their files and systems, and develop strong threat intelligence and incident response programs.”